b'                           U.S. Department of Agriculture\n\n                              Office of Inspector General\n                               Financial & IT Operations\n\n\n\n\n                Audit Report\n\nFiscal Year 2006 \xe2\x80\x93 Office of the Chief Financial\n        Officer/National Finance Center\n           General Controls Review\n\n\n\n\n                                 Report No. 11401-24-FM\n                                        September 2006\n\x0c                        UNITED STATES DEPARTMENT OF AGRICULTURE\n                                   OFFICE OF INSPECTOR GENERAL\n\n                                        Washington D.C. 20250\n\n\nSeptember 28, 2006\n\n\nREPLY TO\nATTN OF:       11401-24-FM\n\nTO:            Charles R. Christopherson, Jr.\n               Chief Financial Officer\n               Office of the Chief Financial Officer\n\nTHROUGH: Kathleen A. Donaldson\n         Audit Liaison Officer\n         Office of the Chief Financial Officer\n\nFROM:          Robert W. Young       /s/\n               Assistant Inspector General\n                for Audit\n\nSUBJECT:       Fiscal Year 2006 \xe2\x80\x93 Office of the Chief Financial Officer/National Finance Center\n               General Controls Review\n\n\nThis report presents the results of our review of internal controls at the Office of the Chief\nFinancial Officer/National Finance Center (OCFO/NFC) for fiscal year 2006. The audit was\nconducted in accordance with Government Auditing Standards issued by the Comptroller\nGeneral of the United States and American Institute of Certified Public Accountants Professional\nStandards AU Sections 316, 319, and 324, as amended by applicable Statements on Auditing\nStandards (SAS), which are commonly referred to as a SAS 70 audit. While OCFO/NFC has\nrecovered from the disruptions caused by Hurricane Katrina and continued to improve its\ninternal controls, the report contains a qualified opinion because certain control policies and\nprocedures, as described in the report, had not operated effectively during fiscal year 2006.\n\nThe report describes weaknesses in OCFO/NFC internal control policies and procedures that\nmay be relevant to the internal control structure of OCFO/NFC customer agencies. However, the\naccuracy and reliability of the data processed by OCFO/NFC and the resultant reports ultimately\nrests with the customer agency and any accompanying compensating controls implemented by\nthe agency. The projections of any conclusions based on our audit findings to future periods are\nsubject to the risk that changes may alter the validity of such conclusions. This report is intended\nsolely for the management of OCFO/NFC, its customer agencies, and their auditors.\n\nWe appreciate the courtesies and cooperation extended to us during this review.\n\x0cExecutive Summary\nFiscal Year 2006 \xe2\x80\x93 Office of the Chief Financial Officer/National Finance Center General\nControls Review (Audit Report No. 11401-24-FM)\n\nResults in Brief      This report presents the results of our review of internal controls at the U.S.\n                      Department of Agriculture\xe2\x80\x99s Office of the Chief Financial Officer/National\n                      Finance Center (OCFO/NFC) for fiscal year 2006. While OCFO/NFC had\n                      continued to improve its internal controls, this report contains a qualified\n                      opinion because OCFO/NFC controls had not operated effectively to ensure\n                      that certain entity-wide security program planning and management, access,\n                      application change, system software, and service continuity control\n                      objectives were consistently achieved from October 1, 2005 through June\n                      30, 2006. This occurred mainly because of disruptions to normal operating\n                      procedures while OCFO/NFC recovered its operations and reconstituted its\n                      workforce in New Orleans, Louisiana, after Hurricane Katrina. While we\n                      also identified certain controls that were not adequately designed,\n                      OCFO/NFC updated its procedures during our review to address these\n                      issues. The results of our tests and corrective actions taken by OCFO/NFC\n                      are described in exhibit B.\n\n                      Our objectives were to perform procedures necessary to express opinions\n                      about whether (1) OCFO/NFC\xe2\x80\x99s description of controls in exhibit A presents\n                      fairly, in all material respects, the aspects of OCFO/NFC controls that may\n                      be relevant to a customer agency\xe2\x80\x99s internal control as it relates to an audit of\n                      financial statements; (2) the controls included and/or referenced were placed\n                      in operation and suitably designed to achieve the control objectives specified\n                      in the description, if those controls were complied with satisfactorily, and\n                      customer agencies applied the controls specified in exhibit A; and (3) the\n                      controls we tested were operating with sufficient effectiveness to provide\n                      reasonable, but not absolute, assurance that the control objectives specified\n                      were achieved during the period from October 1, 2005 through June 30,\n                      2006.\n\n                      Our audit disclosed that OCFO/NFC\xe2\x80\x99s description of controls presented\n                      fairly, in all material respects, the relevant aspects of OCFO/NFC. Also, in\n                      our opinion, the controls included and/or referenced in the description, as\n                      updated, were suitably designed to provide reasonable assurance that\n                      associated control objectives would be achieved if the described policies and\n                      procedures were complied with satisfactorily and customer agencies applied\n                      the controls specified in the OCFO/NFC description of controls.\n\nRecommendations\nIn Brief              During our review, OCFO/NFC reinstituted control activities that were\n                      disrupted after Hurricane Katrina and updated its procedures to address the\n                      control weaknesses we identified.            We make no additional\n                      recommendations.\n\nUSDA/OIG-A/11401-24-FM                                                                         Page i\n\x0cTable of Contents\n\nExecutive Summary .................................................................................................................................i\n\nReport of the Office of Inspector General ............................................................................................ 1\n\nExhibit A \xe2\x80\x93 Office of the Chief Financial Officer/National Finance Center Description of\n            Controls .............................................................................................................................. 3\nExhibit B \xe2\x80\x93 Office of Inspector General - Review of Selected Controls .......................................... 18\n\n\n\n\nUSDA/OIG-A/11401-24-FM                                                                                                                     Page ii\n\x0c                          UNITED STATES DEPARTMENT OF AGRICULTURE\n\n                                      OFFICE OF INSPECTOR GENERAL\n\n                                           Washington D.C. 20250\n\n\n\n\nReport of the Office of Inspector General\nTO:    Charles R. Christopherson, Jr.\n       Chief Financial Officer\n       U.S. Department of Agriculture\n\nWe have examined the control objectives and techniques identified in exhibit A for the U.S.\nDepartment of Agriculture\xe2\x80\x99s (USDA) Office of the Chief Financial Officer/National Finance Center\n(OCFO/NFC). Our examination included procedures to obtain reasonable assurance about whether (1)\nthe accompanying description presents fairly, in all material respects, the aspects of OCFO/NFC\ncontrols that may be relevant to a customer agency\xe2\x80\x99s internal control as it relates to the audit of\nfinancial statements; (2) the controls included or referenced in the description had been placed in\noperation as of June 30, 2006; and (3) such controls were suitably designed to achieve the control\nobjectives in the description, if those controls were complied with satisfactorily and customer agencies\napplied the controls specified in the OCFO/NFC description of controls. The control objectives were\nspecified by OCFO/NFC.\n\nOur audit was conducted in accordance with Government Auditing Standards issued by the\nComptroller General of the United States and standards issued by the American Institute of Certified\nPublic Accountants and included those procedures we considered necessary to obtain a reasonable\nbasis for rendering our opinion.\n\nOCFO/NFC continued to improve its internal controls. However, certain security program planning\nand management, access, application change, system software, and service continuity control\nobjectives, as described in exhibit B, were not consistently achieved during the period when\nOCFO/NFC was recovering its operations and reconstituting its workforce in New Orleans, Louisiana,\nafter Hurricane Katrina. While we also identified certain control practices that were not adequately\ndesigned, OCFO/NFC updated its procedures during our review to address our concerns.\n\nIn our opinion, OCFO/NFC\xe2\x80\x99s description of controls in exhibit A presents fairly, in all material\nrespects, the relevant aspects of OCFO/NFC controls that had been placed in operation as of June 30,\n2006. Also, in our opinion, the controls included and/or referenced in exhibit A were suitably\ndesigned to provide reasonable assurance that the related control objectives would be achieved if the\ndescribed controls were complied with satisfactorily and customer agencies applied the controls\nspecified in the OCFO/NFC description of controls.\n\nIn addition, we performed tests to obtain evidence regarding the effectiveness of OCFO/NFC policies\nand procedures in meeting the control objectives included in exhibit A. The specific controls and the\nnature, timing, extent, and results of our tests are identified in exhibit B. This information has been\nprovided to customer agencies and their auditors to be taken into consideration, along with information\nabout the internal control at customer agencies, when making assessments of control risk for customer\n\nUSDA/OIG-A/11401-24-FM                                                                           Page 1\n\x0cagencies. In our opinion, except for the matters referred to above, the controls that were tested were\noperating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the\ncontrol objectives specified in exhibit A were achieved during the period from October 1, 2005\nthrough June 30, 2006.\n\nThe relative effectiveness and significance of specific controls at OCFO/NFC and their effect on\nassessments of control risk at customer agencies are dependent on their interaction with the controls\nand other factors present at individual customer agencies. We did not evaluate the effectiveness of\ncontrols at individual customer agencies.\n\nThe description of controls at OCFO/NFC is as of June 30, 2006, and information about tests of the\noperating effectiveness of specific controls covers the period from October 1, 2005 through June 30,\n2006. Any projection of such information to the future is subject to the risk that, because of change,\nthe description may no longer portray the controls in existence. The potential effectiveness of specific\ncontrols at OCFO/NFC is subject to inherent limitations and, accordingly, errors or fraud may occur\nand not be detected. Furthermore, the projections of any conclusions, based on our findings, to future\nperiods are subject to the risk that changes may alter the validity of such conclusions. Finally, the\naccuracy and reliability of data processed by OCFO/NFC and the resultant reports ultimately rests with\nthe customer agency and any compensating controls implemented by such agency.\n\nThis report is intended solely for the management of OCFO/NFC, its customer agencies, and their\nauditors.\n\n\n/s/\n\nRobert W. Young\nAssistant Inspector General\n for Audit\n\nSeptember 21, 2006\n\n\n\n\nUSDA/OIG-A/11401-24-FM                                                                           Page 2\n\x0cExhibit A          \xe2\x80\x93 Office of the Chief Financial Officer/National Finance Center\nDescription of Controls\n                                                                  Exhibit A \xe2\x80\x93 Page 1 of 15\n\n\n\n\nUSDA/OIG-A/11401-24-FM                                                           Page 3\n\x0cPages 4 through 17 are not being publicly released due to\n    the sensitive security information they contain.\n\x0cExhibit B \xe2\x80\x93 Office of Inspector General - Review of Selected Controls\n                                                                                  Exhibit B \xe2\x80\x93 Page 1 of 16\n\nThis exhibit describes the results of our tests of operating effectiveness for OCFO/NFC control\nobjectives specified in exhibit A. It is intended to provide customer agencies with information about\nOCFO/NFC control structure policies and procedures that may affect the processing of customer\nagency transactions and the operating effectiveness of the policies and procedures we tested. This\nreport, when combined with an understanding and assessment of the internal control structure policies\nand procedures at customer agencies, is intended to assist customer agency auditors in (1) planning the\naudit of customer agency financial statements, and (2) in assessing control risk for assertions in\ncustomer agency financial statements that may be affected by OCFO/NFC control structure policies\nand procedures.\n\nOur review was conducted through inquiry of key OCFO/NFC personnel, observation of activities,\nexamination of relevant documentation and procedures, and other tests of controls. We also followed\nup on known control weaknesses identified in prior Office of Inspector General audits. We performed\nsuch tests as we considered necessary to evaluate whether operating and control procedures established\nby OCFO/NFC and the extent of compliance with them were sufficient to provide reasonable, but not\nabsolute, assurance that the specified control objectives were achieved. Our testing was not intended\nto apply to any procedures not included in this exhibit or to procedures that may be in effect at\ncustomer agencies.\n\nThe following table presents the control objectives specified by OCFO/NFC in exhibit A, related\ncontrol activities established by OCFO/NFC, a description of our tests to determine if OCFO/NFC\ncontrols were operating with sufficient effectiveness to achieve the specified control objectives, and\nthe results of those tests.\n\n\n\n\nUSDA/OIG-A/11401-24-FM                                                                          Page 18\n\x0cExhibit B \xe2\x80\x93 Office of Inspector General - Review of Selected Controls\n                                                                                                            Exhibit B \xe2\x80\x93 Page 2 of 16\n     CONTROL                            CONTROL\n     OBJECTIVE                         ACTIVITIES                    TESTS PERFORMED                        CONCLUSION\n1. OCFO/NFC ensures its      OCFO/NFC C&A procedures,               We reviewed the risk            OCFO/NFC controls were\n   entity-wide security      which address security                 assessments, system security    suitably designed to achieve the\n   program planning and      documentation requirements             plans, ST&E reports,            control objectives. We also found\n   management control        throughout an information system\xe2\x80\x99s     certification statements, and   that that security impacts\n   objectives are met by:    life cycle, establish roles and        accreditation statements for    associated with changes to\n                             responsibilities for a three-phased    OCFO/NFC\xe2\x80\x99s                      applications and general support\n    a. Enforcing the         C&A approach:                          Payroll/Personnel System,       systems were assessed. However,\n       security life cycle                                          Payroll Accounting System,      OCFO/NFC had not updated its\n       process in all        \xe2\x80\xa2 Phase 1, the precertification        System for Time and             general support system risk\n       phases of the           phase, consists of defining the      Attendance Reporting, and       assessments, security plans,\n       information             system, including its security       the associated general          certifications, or accreditations to\n       system\xe2\x80\x99s life;          categorization, and the scope of     support systems.                reflect the changes that occurred\n                               the C&A effort; identifying                                          when data center operations were\n    b. developing and          existing security controls from      We randomly selected 15 of      transferred to the interim\n       maintaining system      the security controls compliance     the 177 non-emergency           computing facility in\n       security plans to       matrix, reviewing the system         projects associated with        Philadelphia, Pennsylvania, in\n       document current        security plan, reviewing the         application changes that        January 2006.\n       controls and            initial risk assessment, and         occurred between October 1,\n       address planned         negotiating with participants.       2005 and March 15, 2006,        OCFO/NFC officials told us that\n       controls for                                                 and judgmentally selected 10    they were operating under\n       information           \xe2\x80\xa2 Phase 2, the C&A phase,              of the 222 general support      extraordinary circumstances and\n       technology (IT)         includes conducting a security       system changes that were        there was not time to establish a\n       systems in support      test and evaluation (ST&E),          implemented between             new data center and perform a full\n       of the                  updating the risk assessment with    October 1, 2005, and March      C&A within the timeframes under\n       organization\xe2\x80\x99s          findings from the ST&E,              4, 2006, and reviewed           which they were required to\n       mission;                updating the system security         associated documentation        migrate off of the equipment at\n                               plan, documenting certification      provided by OCFO/NFC to         the recovery operations center\n    c. verifying that          findings; and forwarding the         determine if potential          after Hurricane Katrina.\n       security controls       certification findings to the        security impacts had been       According to OCFO/NFC\n       and features are        designated accrediting authority     adequately assessed.            management, the certification and\n       examined both           for an accreditation decision.                                       accreditation process was started\n       periodically and on                                                                          as soon as normal business\n       an event driven       \xe2\x80\xa2 Phase 3, the post-accreditation                                      operations were resumed in\n       basis according to      phase, consists of managing the                                      January 2006. On August 3,\n       departmental            configuration of the system to                                       2006, OCFO/NFC provided us\n       standards for           ensure that the that the security                                    with the updated risk assessments,\n       certification and       posture of the system is not                                         system security plans, ST&E\n       accreditation           threatened by hardware or                                            reports, and draft certification and\n       (C&A) of IT             software changes, the system                                         accreditation letters that were\n       systems and             security plan is kept current, and                                   submitted to U.S. Department of\n       infrastructure; and     performing re-accreditation                                          Agriculture\xe2\x80\x99s Office of the Chief\n                               every three years or when the                                        Information Officer.\n    d. authorizing the         system changes significantly.\n       operation of\n       organizational\n       information\n       systems and any\n       associated\n       information system\n       connections.\n\n\n\n\nUSDA/OIG-A/11401-24-FM                                                                                                      Page 19\n\x0cExhibit B \xe2\x80\x93 Office of Inspector General - Review of Selected Controls\n                                                                                                                 Exhibit B \xe2\x80\x93 Page 3 of 16\n      CONTROL                              CONTROL\n      OBJECTIVE                           ACTIVITIES                      TESTS PERFORMED                         CONCLUSION\n2.    OCFO/NFC ensures          The OCFO/NFC information                 We interviewed OCFO/NFC          OCFO/NFC controls were\n      its entity-wide           security program requires division       personnel and reviewed the       suitably designed and operating\n      security program          directors and staff chiefs to perform    latest OCFO/NFC control          effectively to achieve the control\n      planning and              periodic testing and evaluation of       self assessments for its major   objectives.\n      management control        the effectiveness of information         applications and general\n      objectives are met by     security policies, procedures, and       support systems.\n      conducting periodic       practices on at least an annual basis.\n      reviews and               In addition, the Cyber Security Staff\n      assessments of            is responsible for ensuring that\n      implemented security      plans, procedures, and security\n      controls to ensure that   controls are tested.\n      the controls remain\n      necessary and\n      effective.\n3.   OCFO/NFC ensures           The OCFO/NFC information                 We interviewed OCFO/NFC          OCFO/NFC controls were\n     its entity-wide            security program requires division       personnel and reviewed the       suitably designed and operating\n     security program           directors and staff chiefs to prepare    OCFO/NFC plan of action          effectively to achieve the control\n     planning and               plans of action and milestones to        and milestones. OCFO/NFC         objectives.\n     management control         remediate deficiencies and the           also provided the March\n     objectives are met by      Cyber Security Staff to ensure that      2006 monthly update that\n     developing and             remedial action plans for security       was sent to the Associate\n     implementing plans of      deficiencies are implemented.            Chief Information Officer\n     action to correct any                                               for Cyber Security.\n     known or identified\n     deficiencies and\n     reduce or eliminate\n     vulnerabilities in its\n     information systems.\n\n\n\n\nUSDA/OIG-A/11401-24-FM                                                                                                            Page 20\n\x0cExhibit B \xe2\x80\x93 Office of Inspector General - Review of Selected Controls\n                                                                                                            Exhibit B \xe2\x80\x93 Page 4 of 16\n      CONTROL                            CONTROL\n      OBJECTIVE                         ACTIVITIES                     TESTS PERFORMED                      CONCLUSION\n4.   OCFO/NFC ensures         OCFO/NFC had issued a                   We selected 10 OCFO/NFC       OCFO/NFC controls, as updated,\n     its entity-wide          management directive to define          employees hired into IT       were suitably designed to achieve\n     security program         policy, responsibilities, and           positions since May 2003 to   the control objectives. However\n     planning and             procedures for assigning risk levels,   review the process for        controls had not operated\n     management control       designating position sensitivity, and   assigning risk codes. We      effectively to ensure that risk\n     objectives are met by    obtaining required background           also judgmentally selected    levels were accurate and\n     implementing             investigations for OCFO/NFC and         36 IT employees in a manner   appropriate background\n     personnel security       contractor personnel. In May 2006,      that ensured that different   investigations, or reinvestigations,\n     controls, specifically   OCFO/NFC updated this directive to      OCFO/NFC organizations        had been performed for\n     background               clearly require all employees to be     were represented to           OCFO/NFC employees. For\n     investigations and       assigned a position sensitivity         determine if assigned risk    example:\n     clearances, and          designation, or risk level, and         levels were appropriate.\n     ensuring adequate        undergo the appropriate type of                                       \xe2\x80\xa2 Thirteen of the 36 employees\n     assignment of            investigation. The updated directive    We reviewed documentation       reviewed did not have risk\n     responsibilities.        also establishes requirements for re-   to determine if employees       levels that reflected current\n                              evaluating risk levels when job         assigned the high and           duties;\n                              responsibilities change or every two    moderate risk levels for\n                              years.                                  computer/ information         \xe2\x80\xa2 46 of 180 employees assigned\n                                                                      system positions had            a high risk level for\n                                                                      completed required              computer/information system\n                                                                      background investigations       positions did not show initial\n                                                                      and periodic                    background investigations; an\n                                                                      reinvestigations.               additional 10 did not have\n                                                                                                      evidence of reinvestigations;\n                                                                      We reviewed background          and 39 only had limited or\n                                                                      investigation documentation     minimum background\n                                                                      for 10 contractors.             investigations even through a\n                                                                                                      full background investigation\n                                                                                                      was required; and\n\n                                                                                                    \xe2\x80\xa2 47 of the 83 employees with a\n                                                                                                      moderate risk for\n                                                                                                      computer/information system\n                                                                                                      positions did not show an\n                                                                                                      initial background\n                                                                                                      investigation.\n\n                                                                                                    During our review, OCFO/NFC\n                                                                                                    evaluated employee risk levels to\n                                                                                                    ensure that proper background\n                                                                                                    checks were initiated and updated\n                                                                                                    its management directives to\n                                                                                                    clarify personnel security\n                                                                                                    responsibilities and specify risk\n                                                                                                    level review requirements.\n\n\n\n\nUSDA/OIG-A/11401-24-FM                                                                                                      Page 21\n\x0cExhibit B \xe2\x80\x93 Office of Inspector General - Review of Selected Controls\n                                                                                                             Exhibit B \xe2\x80\x93 Page 5 of 16\n      CONTROL                           CONTROL\n      OBJECTIVE                        ACTIVITIES                     TESTS PERFORMED                        CONCLUSION\n5.   OCFO/NFC ensures        The OCFO/NFC information                We interviewed OCFO/NFC          OCFO/NFC controls were\n     its entity-wide         security program includes security      personnel, reviewed the New      suitably designed to achieve the\n     security program        awareness training to inform            Employee Security Briefing,      control objectives if customer\n     planning and            personnel, including contractors and    and analyzed the security        agencies applied the controls\n     management control      other users of information systems      awareness tracking report as     specified in exhibit A.\n     objectives are met by   that support the operations and         of April 26, 2006.               OCFO/NFC controls were also\n     conducting security     assets of the agency, of the                                             operating effectively to ensure\n     awareness and           information security risks associated   We judgmentally selected a       that OCFO/NFC users were made\n     technical training to   with their activities; and their        sample of 25 Government          aware of basic information system\n     ensure that end users   responsibilities in complying with      Employee Services Division       security concepts, but not\n     and system users are    agency policies and procedures          and 25 Information               OCFO/NFC-specific security\n     aware of the rules of   designed to reduce these risks.         Resources Management             responsibilities. While\n     behavior and their                                              Division employees from          OCFO/NFC had planned for\n     responsibilities in     The OCFO/NFC management                 organizational listings as of    quarterly security awareness\n     protecting the          directive for security awareness        March 22, 2006, in a manner      briefings addressing OCFO/NFC\n     organization\xe2\x80\x99s          training requires new OCFO/NFC          that ensured that staff          security-related directives, these\n     mission.                employees and contractor personnel      members assigned to              briefings were not provided as\n                             to attend the OCFO/NFC New              different organizational units   planned because Hurricane\n                             Employee Security Briefing before       would be selected. We            Katrina disrupted the process.\n                             being given access to OCFO/NFC          reviewed the security            OCFO/NFC had plans to continue\n                             computer systems. For customer          awareness training status        the quarterly security briefings.\n                             agency employees, the customer          report as of April 30, 2006,\n                             agency is responsible for ensuring      and additional\n                             users sign an agreement to abide by     documentation to verify that\n                             rules of behavior for accessing         they had completed the\n                             OCFO/NFC systems prior to               training.\n                             requesting their access.\n\n                             The OCFO/NFC management\n                             directive for security awareness\n                             training also requires employees to\n                             complete annual security awareness\n                             training to renew their awareness of\n                             security responsibilities. This\n                             directive tasks the Cyber Security\n                             Staff with maintaining a security\n                             awareness program and division\n                             directors and staff chiefs with\n                             ensuring attendance.\n\n                             In addition, the OCFO/NFC\n                             management directive for individual\n                             development plans specifies a\n                             process for ensuring that employees\n                             receive training required to perform\n                             their job functions.\n\n\n\n\nUSDA/OIG-A/11401-24-FM                                                                                                       Page 22\n\x0cExhibit B \xe2\x80\x93 Office of Inspector General - Review of Selected Controls\n                                                                                                               Exhibit B \xe2\x80\x93 Page 6 of 16\n     CONTROL                             CONTROL\n     OBJECTIVE                          ACTIVITIES                       TESTS PERFORMED                        CONCLUSION\n6.   OCFO/NFC               For OCFO/NFC employees, the                 We interviewed Information      OCFO/NFC controls, as updated,\n     ensures its entity-    OCFO/NFC data security access policy        Systems Security Office         were suitably designed to achieve\n     wide security          directive states that access will be        (ISSO) personnel regarding      the control objectives if customer\n     program planning       limited based on the minimum number         the processes used to manage    agencies applied the controls\n     and management         of employees needed to effectively          information system accounts     specified in exhibit A. In\n     control objectives     perform job functions, as determined        and observed the process for    addition, physical access controls\n     are met by             by resource owners. This directive          creating mainframe user         were operating effectively to\n     enforcing physical     also establishes a standard process for     identifications (ID) and        achieve the control objectives.\n     and logical security   requesting access to resources based on     passwords.                      However, logical access controls\n     measures to prevent    a standard form that documents the                                          had not operated effectively to\n     errors and             specific resources and access level         For OCFO/NFC users, we          ensure that access to sensitive\n     irregularities and     required, the reason the access is          reviewed listings that          resources was appropriately\n     the possibility of     needed, and both management and             identified access permissions   limited.\n     loss of data or        resource owner approvals. In June           for sensitive\n     processing by          2006, OCFO/NFC published a role-            payroll/personnel               While OCFO/NFC had made\n     limiting access to     based security access policy and            applications, production        substantial progress in\n     authorized users       procedures for creating access roles,       libraries related to            implementing role-based access\n     and restricting the    adding and removing staff members           mainframe application           profiles, unnecessary access to\n     types of               from existing roles, and modifying          configuration management,       payroll/personnel applications,\n     transactions and       access authorities included in existing     and system resources. We        application configuration\n     functions that         roles.                                      also evaluated access           management libraries, and\n     authorized users are                                               permissions for 4               sensitive system resources\n     permitted to           In addition, the OCFO/NFC                   OCFO/NFC employees that         continued to exist. For example,\n     exercise.              management directive for establishing       transferred as of October 28,   67 OCFO/NFC staff members\n                            internal controls over access requires      2005, and 10 employees that     were granted access to certain\n                            separation of functions to guard            separated after October 1,      payroll and/or personnel\n                            against personnel having the                2005.                           applications even though it was\n                            opportunity to commit and/or conceal                                        not required to perform job\n                            intentional or unintentional alteration,    For customer agency             functions. This included 16 staff\n                            destroy data or software. If the            employees, we reviewed          members assigned to application\n                            separation of incompatible functions is     access permissions for 14       development organizations that\n                            not possible, branch chiefs are required    judgmentally selected           were granted access to process\n                            to implement compensating controls.         customer agency users           transactions through certain\n                            This directive also establishes             whose accounts were created     payroll and/or personnel\n                            procedures for ensuring that access         between October 1, 2005,        applications, which violates\n                            remains appropriate over time.              and March 21, 2006. We          segregation of duties principles.\n                            Division/staff office security              also followed up on 13          OCFO/NFC removed this\n                            coordinators are responsible for            employees that were either      unnecessary access when role-\n                            reviewing reports of personnel actions      listed on a customer agency     based access profiles were\n                            and branch chiefs are responsible for       security officer listing or     assigned to the staff members\n                            periodically reviewing their                were assigned administrative    with unnecessary access.\n                            employee\xe2\x80\x99s access authorities to            access authorities consistent\n                            determine if access needs to be             with customer agency            We also found that unnecessary\n                            changed or removed.                         security officer functions to   access to sensitive system\n                                                                        determine if OCFO/NFC           resources identified in our fiscal\n                            Furthermore, the OCFO/NFC                   was accurately maintaining      year 2005 review continued to\n                            management directive for completing         customer agency security        exist. This included unnecessary\n                            its separation form (NFC 1267)              officers.                       access to 6 of 17 sensitive\n                            requires the employee or their first line                                   operating system libraries\n                            supervisor to hand carry the form to        For inactive user IDs, we       reviewed, 42 of 72 authorized\n                            different organizations, including          reviewed a listing provided     program facility libraries\n                            ISSO, on the employee\xe2\x80\x99s last working        by ISSO in March 2003 to        reviewed, and a database utility\n                            day. An ISSO representative signs the       identify and follow up on       that could be used to bypass\n                            form to certify that mainframe access       accounts that had not been      normal controls.\n                            has been removed.                           used in 180 days, but were\n                                                                        still active.\n\n\n\n\nUSDA/OIG-A/11401-24-FM                                                                                                         Page 23\n\x0cExhibit B \xe2\x80\x93 Office of Inspector General - Review of Selected Controls\n                                                                                                  Exhibit B \xe2\x80\x93 Page 7 of 16\n     CONTROL                    CONTROL\n     OBJECTIVE                 ACTIVITIES                      TESTS PERFORMED                     CONCLUSION\n6.   (continued)   For customer agency employees, the          For physical access         It appeared that the request to\n                   customer agency is responsible for          controls, we judgmentally   remove this access was not\n                   designating personnel who are               selected 10 of the 36       processed in the confusion after\n                   authorized to request user additions,       employees with access to    Hurricane Katrina. OCFO/NFC\n                   deletions, and security level changes.      the interim computer        officials told us that the request\n                   These customer agency security              facility for review.        had been resubmitted. In\n                   officers are also responsible for                                       addition, 13 OCFO/NFC staff\n                   ensuring the level of access assigned to                                members were allowed to update\n                   a user remains appropriate over time.                                   certain production application\n                   OCFO/NFC then grants authority to                                       configuration management\n                   use (access) its facilities to individual                               libraries even though this access\n                   users at the request of customer agency                                 was not required to perform job\n                   security officer.                                                       functions. OCFO/NFC officials\n                                                                                           told us that this access would be\n                   An additional management directive                                      removed. In April 2006,\n                   addresses the suspension/deletion of                                    OCFO/NFC established\n                   unused accounts and states that                                         procedures that require annual\n                   OCFO/NFC will use an automated                                          reviews of all users and\n                   process to delete user identifications                                  resources assigned to role-based\n                   after 150 days without use.                                             access profiles.\n\n                   The OCFO/NFC network security                                           In addition, we identified 10\n                   policy requires physical access to                                      OCFO/NFC employees that\n                   servers and related components to be                                    required access permissions that\n                   limited to authorized personnel. The                                    violated segregation of duties\n                   policy also requires servers, backup                                    principles to perform their job\n                   facilities, uninterrupted power supply,                                 functions. These access\n                   network switches, etc., to be installed                                 permissions provided the ability\n                   in physically secured areas whenever                                    to create a fictitious employee\n                   possible.                                                               position, enter payroll and\n                                                                                           personnel actions for the\n                                                                                           fictitious employee, and process\n                                                                                           payments for the fictitious\n                                                                                           employee for both USDA and\n                                                                                           other customer agencies. While\n                                                                                           OCFO/NFC had established\n                                                                                           controls to review manual\n                                                                                           payments for OCFO/NFC\n                                                                                           employees, it was not reviewing\n                                                                                           payments initiated by\n                                                                                           OCFO/NFC employees for\n                                                                                           customer organization\n                                                                                           employees. In addition,\n                                                                                           OCFO/NFC had not\n                                                                                           implemented controls to review\n                                                                                           other payroll and personnel\n                                                                                           actions entered by its employees.\n\n\n\n\nUSDA/OIG-A/11401-24-FM                                                                                             Page 24\n\x0cExhibit B \xe2\x80\x93 Office of Inspector General - Review of Selected Controls\n                                                                  Exhibit B \xe2\x80\x93 Page 8 of 16\n     CONTROL              CONTROL\n     OBJECTIVE           ACTIVITIES      TESTS PERFORMED           CONCLUSION\n6.   (continued)                                           For transferred employees,\n                                                           OCFO/NFC had not appropriately\n                                                           adjusted access for 2 of the 4\n                                                           users we reviewed that had\n                                                           transferred organizations. This\n                                                           occurred because requests to\n                                                           cancel access authority were not\n                                                           submitted when the employee\n                                                           transferred and OCFO/NFC was\n                                                           not producing a report of\n                                                           personnel actions that was\n                                                           intended to allow division office\n                                                           security coordinators to determine\n                                                           if access had been appropriately\n                                                           adjusted. During our review,\n                                                           OCFO/NFC established new\n                                                           procedures to ensure appropriate\n                                                           clearance of systems access,\n                                                           property, and other accountable\n                                                           items when employees transfer.\n                                                           These procedures include a\n                                                           control report that will be used to\n                                                           ensure that all transferred\n                                                           personnel have a completed\n                                                           transfer form.\n\n                                                           For separated employees, 8 of the\n                                                           10 employees that we reviewed\n                                                           continued to have access to\n                                                           OCFO/NFC systems after their\n                                                           separation date. This occurred\n                                                           mainly because the separation\n                                                           form that triggers access removal\n                                                           was not consistently processed\n                                                           during the period when\n                                                           OCFO/NFC staff members were\n                                                           deployed in different locations\n                                                           after Hurricane Katrina. In\n                                                           addition, OCFO/NFC had not\n                                                           always removed access before\n                                                           signing the separation form.\n                                                           During our review, OCFO/NFC\n                                                           created desk procedures to ensure\n                                                           that access was appropriately\n                                                           removed.\n\n\n\n\nUSDA/OIG-A/11401-24-FM                                                            Page 25\n\x0cExhibit B \xe2\x80\x93 Office of Inspector General - Review of Selected Controls\n                                                                   Exhibit B \xe2\x80\x93 Page 9 of 16\n    CONTROL               CONTROL\n    OBJECTIVE            ACTIVITIES      TESTS PERFORMED           CONCLUSION\n6. (continued)                                             During our review, OCFO/NFC\n                                                           expanded its existing procedures\n                                                           for reviewing manual payments\n                                                           to include transactions initiated\n                                                           by OCFO/NFC employees for\n                                                           customer agencies and created\n                                                           new reports to identify payroll\n                                                           and personnel actions initiated\n                                                           by its employees for review.\n\n                                                           For customer agency employees,\n                                                           OCFO/NFC officials could not\n                                                           locate the access requests for 4\n                                                           of the 14 customer agency\n                                                           employees we reviewed. These\n                                                           accounts were created during\n                                                           October 2005 while OCFO/NFC\n                                                           was operating in disaster\n                                                           recovery mode after Hurricane\n                                                           Katrina. For 3 of the remaining\n                                                           10, OCFO/NFC granted access\n                                                           based on requests from\n                                                           personnel that were not in the\n                                                           customer agency security officer\n                                                           listing. We also identified 2\n                                                           instances where OCFO/NFC\n                                                           granted more access than was\n                                                           specified in the original request.\n                                                           During our review, OCFO/NFC\n                                                           created desk procedures for\n                                                           processing requests from\n                                                           customer agency security\n                                                           officers to ensure that the\n                                                           requestor is an authorized\n                                                           security officer and that access is\n                                                           appropriately granted based on\n                                                           the request.\n\n\n\n\nUSDA/OIG-A/11401-24-FM                                                             Page 26\n\x0cExhibit B \xe2\x80\x93 Office of Inspector General - Review of Selected Controls\n                                                                 Exhibit B \xe2\x80\x93 Page 10 of 16\n    CONTROL               CONTROL\n    OBJECTIVE            ACTIVITIES      TESTS PERFORMED           CONCLUSION\n6. (continued)                                             We also found that OCFO/NFC\n                                                           had not maintained an accurate\n                                                           record of customer agency\n                                                           security officers. OCFO/NFC\n                                                           officials told us they were\n                                                           verifying current customer\n                                                           agency security officers. Also,\n                                                           OCFO/NFC updated its internal\n                                                           procedures and the procedures\n                                                           provided to customer agency\n                                                           security officers to ensure that\n                                                           customer agency security\n                                                           officers are accurately identified.\n\n                                                           For inactive user IDs, we\n                                                           determined that OCFO/NFC had\n                                                           implemented an automated\n                                                           process to delete mainframe user\n                                                           IDs after 150 days without use,\n                                                           but OCFO/NFC security officers\n                                                           and a certain type of customer\n                                                           agency security officer were not\n                                                           included in this process.\n                                                           OCFO/NFC updated its\n                                                           automated process to include\n                                                           these security officers in July\n                                                           2006.\n\n\n\n\nUSDA/OIG-A/11401-24-FM                                                             Page 27\n\x0cExhibit B \xe2\x80\x93 Office of Inspector General - Review of Selected Controls\n                                                                                                        Exhibit B \xe2\x80\x93 Page 11 of 16\n    CONTROL                            CONTROL\n    OBJECTIVE                         ACTIVITIES                      TESTS PERFORMED                     CONCLUSION\n7. OCFO/NFC ensures        The OCFO/NFC network security             We reviewed a list of        OCFO/NFC controls were\n   its access control      policy requires both user IDs and         mainframe user IDs and       suitably designed and operating\n   objectives are met      processes to be identified with an        followed up on 42 user IDs   effectively to achieve the control\n   by enforcing            individual and to not be shared. This     that appeared generic. We    objectives.\n   controls to uniquely    policy also requires each user account    also observed the process\n   identify users,         to have a password to ensure that         for creating user IDs and\n   processes, and          users can be identified and               passwords and connected to\n   information             authenticated.                            servers to ensure that\n   resources and                                                     authentication was\n   verifying the                                                     required.\n   identity of a subject\n   to ensure that it is\n   valid.\n8. OCFO/NFC ensures        The OCFO/NFC network security             We interviewed               OCFO/NFC controls were\n   its access control      policy states that the following events   OCFO/NFC personnel. We       suitably designed, but not\n   objectives are met      will be logged: logons and log offs;      also reviewed system         operating effectively to ensure\n   by enforcing            failed logons; lockouts and unlocks;      configuration information    that unusual or suspicious activity\n   controls to monitor,    server-based administrator activities;    and monitoring reports.      to certain sensitive mainframe\n   analyze, investigate,   unsuccessful attempts to access                                        resources was identified and\n   and report on IT        information resources; and                                             investigated. OCFO/NFC\xe2\x80\x99s\n   activity.               modifications to highly sensitive data                                 intrusion detection system was\n                           and resources.                                                         operating as intended and\n                                                                                                  mainframe security events were\n                           The policy also requires the                                           being logged. However, some of\n                           Information Systems Policy and                                         the mainframe monitoring reports\n                           Control Staff (ISPCS) to monitor logs                                  had not been consistently\n                           for unusual security events, including                                 reviewed during fiscal year 2006.\n                           unsuccessful access attempts to gain                                   While it appeared that the security\n                           entry to systems or access sensitive                                   reporting processes were not\n                           information; deviations from access                                    interrupted after Hurricane\n                           trends; unsuccessful attempts to                                       Katrina, changes occurred in the\n                           access highly sensitive data and                                       way some reports were distributed\n                           resources; highly sensitive/privileged                                 and responsible parties were not\n                           access outside of normal operations;                                   always aware that the monitoring\n                           and access modifications made by                                       reports were being produced.\n                           non-security personnel. If further                                     OCFO/NFC performed a review\n                           investigation is required, ISPCS                                       of its mainframe monitoring\n                           documents the findings and if the                                      reports that included documenting\n                           event is found to be, or has the                                       the current method of delivery,\n                           potential to be, a computer security                                   which should help ensure that\n                           incident, directs it to Cyber Security                                 reports are received by the\n                           Staff.                                                                 appropriate staff member.\n\n                           The policy also requires OCFO/NFC\n                           to develop and administer an\n                           intrusion detection program to reduce\n                           the risk of unauthorized access or\n                           hostile activity.\n\n\n\n\nUSDA/OIG-A/11401-24-FM                                                                                                    Page 28\n\x0cExhibit B \xe2\x80\x93 Office of Inspector General - Review of Selected Controls\n                                                                                                       Exhibit B \xe2\x80\x93 Page 12 of 16\n    CONTROL                           CONTROL\n    OBJECTIVE                        ACTIVITIES                     TESTS PERFORMED                      CONCLUSION\n9. OCFO/NFC ensures       The OCFO/NFC firewall policy             We interviewed                OCFO/NFC controls were\n   its access control     requires all direct connections to the   OCFO/NFC staff. We also       suitably designed and operating\n   objectives are met     Internet or other networks to occur      obtained OCFO/NFC             effectively to achieve the control\n   by:                    through an OCFO/NFC managed              firewall rules and reviewed   objectives.\n                          firewall that denies all inbound and     the system test and\n   a. Enforcing           outbound protocols unless                evaluation report for the\n      controls to         specifically permitted and identifies    mainframe general support\n      monitor and         the source and destination for each      system and other system\n      control             protocol.                                documentation for the\n      communications      The firewall policy also establishes a   interim computing facility.\n      at the external     requirement for a demilitarized zone\n      boundary of the     between the Internet and                 We reviewed the results of\n      information         OCFO/NFC\xe2\x80\x99s internal network to           OCFO/NFC phone scans\n      system and at       support applications that require        performed in March 2006.\n      key internal        publicly accessible network servers.     We tested the modems\n      boundaries with     The demilitarized zone is protected      identified by the\n      the system;         by firewalls on both sides that permit   OCFO/NFC phone scans\n                          http and https services and only allow   and 16 modem lines at the\n   b. preventing          administrative protocols through the     interim computing facility\n      public access       internal network.                        to ensure that they were\n      into the internal                                            adequately secured. We\n      networks;           The OCFO/NFC network security            also reviewed\n                          policy requires all modems connected     documentation associated\n   c. only permitting     to the OCFO/NFC network be               with connecting devices to\n      connections to      documented and approved. The             the OCFO/NFC network.\n      the Internet        OCFO/NFC management directive\n      through             for modem phone lines establishes\n      controlled          procedures for requesting, approving,\n      interfaces; and     and performing an annual validation\n                          of authorized modem lines. In\n   d. allocating          addition, OCFO/NFC runs a quarterly\n      publicly            phone scan to identify unauthorized\n      accessible          modems.\n      information\n      system              OCFO/NFC procedures also prohibit\n      components to       employees from connecting devices\n      separate sub-       to the network. Employees must\n      networks with       submit Form NFC-1155. If\n      separate,           approved, OCFO/NFC ensures that\n      physical            the device is appropriately protected\n      network             before connecting it to the network.\n      interfaces.\n\n\n\n\nUSDA/OIG-A/11401-24-FM                                                                                                   Page 29\n\x0cExhibit B \xe2\x80\x93 Office of Inspector General - Review of Selected Controls\n                                                                                                             Exhibit B \xe2\x80\x93 Page 13 of 16\n    CONTROL                             CONTROL\n    OBJECTIVE                          ACTIVITIES                       TESTS PERFORMED                        CONCLUSION\n10. OCFO/NFC ensures       The OCFO/NFC network security               We interviewed OCFO/NFC         OCFO/NFC controls, as updated,\n    its access control     policy states that physical access to the   officials, reviewed             were suitably designed and\n    objectives are met     network server and related components       documentation describing        operating effectively to achieve\n    by protecting the      is limited to authorized personnel. The     how physical access points      the control objective.\n    physical facility to   policy also requires servers, backup        are controlled, and observed\n    prevent                facilities, uninterrupted power supply,     physical security access\n    unauthorized access    network switches, etc., to be installed     points and processes at the\n    to the computers,      in physically secured areas whenever        interim computing facility.\n    printers, terminals,   possible. OCFO/NFC implemented\n    telecommunications     security procedures for gaining access      We judgmentally selected 10\n    equipment, and         to the interim computing facility in        of the 36 employees with\n    storage media.         January 2006. In July 2006,                 access to the interim\n                           OCFO/NFC updated these procedures           computing facility as of\n                           to include periodically reviewing the       April 24, 2006, for review to\n                           access control listing to ensure that       determine if their access was\n                           access was still appropriate and            appropriately authorized.\n                           analyzing physical access logs to\n                           identify unusual or suspicious attempts     We reviewed access logs that\n                           to access OCFO/NFC controlled areas         documented denied attempts\n                           at the interim computing facility.          to access OCFO/NFC\n                                                                       controlled areas at the\n                                                                       interim computing facility\n                                                                       from January 2006 through\n                                                                       April 2006.\n\n                                                                       We observed OCFO/NFC\n                                                                       procedures for escorting and\n                                                                       monitoring visitor activity\n                                                                       and reviewed associated\n                                                                       visitor access logs.\n11. OCFO/NFC ensures       The OCFO/NFC network security               We interviewed personnel,       OCFO/NFC controls were\n    its environmental      policy requires critical application        observed both OCFO/NFC          suitably designed and operating\n    protection control     network components have air                 and the interim computing       effectively to achieve the control\n    objectives are met     conditioning and humidity control           facility, and reviewed          objectives.\n    by maintaining a       systems to maintain temperatures            associated documentation.\n    secure, conditioned    within manufacturer specifications.\n    space with             In addition, the policy states that the\n    redundant              network and its components should\n    uninterruptible        be protected from the effects of static\n    power source,          electricity, power surges, dust,\n    physical event         smoke, water, and other particulate\n    monitoring, and        matter. In this regard, critical\n    available onsite       applications are required to reside on\n    assistance in order    systems with a backup power supply\n    to minimize            that includes both power surge\n    potential damage to    protection and line\n    or interruption of     conditioning/filtering capabilities. In\n    information            addition, OCFO/NFC operates,\n    systems.               maintains, and tests emergency power\n                           generators for use during commercial\n                           power outages.\n\n\n\n\nUSDA/OIG-A/11401-24-FM                                                                                                         Page 30\n\x0cExhibit B \xe2\x80\x93 Office of Inspector General - Review of Selected Controls\n                                                                                                              Exhibit B \xe2\x80\x93 Page 14 of 16\n    CONTROL                             CONTROL\n    OBJECTIVE                          ACTIVITIES                       TESTS PERFORMED                       CONCLUSION\n12. OCFO/NFC ensures       The OCFO/NFC management                     We interviewed OCFO/NFC       OCFO/NFC controls were suitably\n    that change control    directive for scheduled software            officials and reviewed        designed and operating effectively\n    objectives for         maintenance defines policy,                 system documentation.         for emergency changes, but not for\n    production             responsibilities, and procedures for                                      non-emergency changes.\n    application systems    controlling application software            We randomly selected 15\n    are met by:            changes. This directive requires all        of the 177 non-emergency      OCFO/NFC had adequately\n                           changes to be documented on a               projects and 5 of the 24      documented and approved the 14\n  a. Planning,             program change request form, tested         emergency projects            non-emergency projects we\n     developing,           according to development organization       associated with application   reviewed. However, OCFO/NFC did\n     implementing, and     guidelines, and approved prior to           changes that were             not provide complete requirements\n     directing a           implementation. Also, it includes a         implemented between           and/or unit test documentation for 5\n     software quality      step for updating associated procedure      October 1, 2005 and March     of the 14 projects. Three of these\n     assurance program     documentation.                              15, 2006, and reviewed        projects occurred while OCFO/NFC\n     that includes                                                     associated documentation      was deployed after Hurricane\n     configuration         Supplemental guidance for completing        provided by OCFO/NFC.         Katrina. The two additional projects\n     management and        program change request forms states         We eliminated one of the      with incomplete documentation\n     user acceptance       that the form serves as a cover sheet       non-emergency projects        appear to have been caused by\n     testing;              for requirements documentation and          selected because it was an    human error rather than a control\n                           should be prepared and approved.            emergency project that was    deficiency. In addition, OCFO/NFC\n  b. providing             Also, there is agreement on software        miscoded.                     had not performed user acceptance\n     configuration         requirements as documented by                                             testing during fiscal year 2006 due to\n     management by         requirements analysts or the customer                                     staffing deficiencies and large\n     identifying and       agency.                                                                   backlogs caused by Hurricane\n     defining the                                                                                    Katrina. However, user acceptance\n     configuration items   Supplemental guidance for application                                     testing had been reinstated in August\n     in a system,          software testing requires both                                            2006.\n     controlling the       emergency and non-emergency\n     release and change    program changes to undergo unit\n     of these items        testing and additional testing for non-\n     through the system    emergency changes, which are\n     life cycle, and       classified as either mandated or\n     recording             routine. Mandated changes undergo\n     completeness and      user acceptance testing in a simulated\n     correctness of        production environment, unless\n     configuration         specifically waived by the operations\n     items;                manager or the user requesting the\n                           change; while routine changes undergo\n  c. maintaining           more formal quality assurance\n     baseline              acceptance testing unless specifically\n     configurations and    waived by the development\n     inventories of        organization, users, and other technical\n     organizational        personnel. Test plans that include test\n     information           cases and expected results; test results;\n     systems; and          and the associated approvals are\n                           required to be documented and\n  d. utilizing state-of-   maintained.\n     the-art change\n     control tools for\n     migration of\n     program changes\n     from development\n     environments to\n     quality assurance\n     and production\n     environments.\n\n\n\n\nUSDA/OIG-A/11401-24-FM                                                                                                      Page 31\n\x0cExhibit B \xe2\x80\x93 Office of Inspector General - Review of Selected Controls\n                                                                                                           Exhibit B \xe2\x80\x93 Page 15 of 16\n    CONTROL                             CONTROL\n    OBJECTIVE                          ACTIVITIES                     TESTS PERFORMED                       CONCLUSION\n13. OCFO/NFC ensures       OCFO/NFC C&A procedures                   We interviewed                  OCFO/NFC controls were\n    its systems software   recognize the importance security-        OCFO/NFC officials and          suitably designed to achieve the\n    are updated and        related documentation, including a        reviewed system                 control objectives. In addition,\n    protected from         trusted facility manual that explains     configuration                   OCFO/NFC controls were\n    malicious code by:     how to operate the system in the most     documentation.                  operating effectively to ensure\n                           secure manner. These procedures                                           that system software change\n    a. Giving particular   also state that standard operating        We judgmentally selected        requests were appropriately\n       attention to the    procedures may be included in this        10 of the 222 non-              documented, tested and\n       process utilized    manual or maintained separately.          emergency and 5 of the 41       approved. However,\n       to build, change,                                             emergency general support       OCFO/NFC controls had not\n       or implement the    The OCFO/NFC management                   system changes that were        consistently ensured that\n       system and          directive for IT infrastructure changes   implemented between             identified vulnerabilities were\n                           specifies responsibilities and            October 1, 2005, and            resolved in a timely manner.\n    b. maintaining a       procedures for changes to hardware        March 4, 2006, and\n       flaw remediation    and operating system software. This       reviewed OCFO/NFC               We identified 84 easily\n       process with        directive requires the requestor to       documentation associated        exploitable vulnerabilities that\n       patch               submit a change request; test the         with the changes.               were identified in March 2006,\n       management,         change in a test environment and                                          but remained open in June 2006.\n       malicious code      document the results or the reason the    We reviewed vulnerability       As of July 8, 2006, 15 of these\n       screening, and      change was not tested; and provide a      scan reports from March         had been declared as either false\n       checks, along       method of validation to ensure that       through June 2006 and           positives or acceptable risks, 68\n       with personnel      the change operates as intended in the    documentation identifying       were included in action plans,\n       supervision,        production environment. Branch            vulnerabilities classified as   and 1 remained open. The 15\n       procedural          chiefs verify that testing was            false positives or acceptable   declarations for false positives\n       reviews.            performed, review the method of           risks.                          or acceptable risk occurred, on\n                           validation, and approve the request.                                      average, more than 85 days after\n                                                                                                     their identification. We also\n                           OCFO/NFC management directives                                            identified 68 additional easily\n                           and other guidance also establish                                         exploitable vulnerabilities that\n                           policies and procedures for                                               were identified in January 2006\n                           preventing information system                                             but not resolved until April\n                           vulnerabilities by requiring anti-virus                                   2006. OCFO/NFC officials told\n                           software, prohibiting users from                                          us that the delay in executing\n                           installing unauthorized software, and                                     declarations and addressing\n                           implementing network system                                               vulnerabilities was due, in part,\n                           security patches.                                                         to the limited number of staff\n                                                                                                     available after Hurricane Katrina\n                           In addition, the OCFO/NFC                                                 and the increased downtime\n                           management directive for network                                          associated with traveling to and\n                           vulnerability self assessments                                            from the interim computing\n                           requires vulnerability scans to be                                        facility. OCFO/NFC began\n                           performed at least quarterly. While                                       rerunning scans on a weekly\n                           the directive does not specify a                                          basis in May 2006. In addition,\n                           timeframe for resolution, it requires                                     the monthly plan of actions and\n                           action plans to be documented and                                         milestones reporting process\n                           approved for vulnerabilities that are                                     began tracking the resolution of\n                           not resolved within 45 days of                                            items noted.\n                           identification.\n\n\n\n\nUSDA/OIG-A/11401-24-FM                                                                                                      Page 32\n\x0cExhibit B \xe2\x80\x93 Office of Inspector General - Review of Selected Controls\n                                                                                                          Exhibit B \xe2\x80\x93 Page 16 of 16\n     CONTROL                             CONTROL\n     OBJECTIVE                          ACTIVITIES                      TESTS PERFORMED                    CONCLUSION\n14. OCFO/NFC ensures         The OCFO/NFC Information                  We interviewed               OCFO/NFC controls were\n    its service continuity   Security Program includes plans and       OCFO/NFC personnel, and      suitably designed to achieve the\n    control objectives are   procedures to ensure continuity of        reviewed the OCFO/NFC        control objectives. We also\n    met by:                  operations for information systems        Continuity of Operations     concluded that OCFO/NFC\n                             that support the operations and assets    Plan. We also reviewed the   controls were operating\n     a. Providing            of the agency. Division directors and     OCFO/NFC Computer            effectively except to ensure\n        continuity of        branch chiefs are responsible for         Incident Handling Guide      continuity of operations during\n        support and          providing plans and procedures in         and ST&E for the             emergencies or disasters.\n        developing,          coordination with OCFO/NFC central        mainframe general support\n        testing, and         recovery plan and developing,             system.                      While OCFO/NFC had updated\n        maintaining the      testing, and maintaining continuity of                                 its Continuity of Operations Plan\n        continuity of        operations plans for their business                                    to reflect their current operating\n        operations plan      units. In this regard, the OCFO/NFC                                    environment, it had not yet\n        to provide for       Continuity of Operations Plan states                                   completed updates of the\n        business             that OCFO/NFC conducts semi-                                           associated procedures for\n        resumption and       annual tests at the recovery                                           recovering computer operations to\n        to ensure            operations center and alternate work                                   ensure that architectural changes\n        continuity of        sites. In addition, OCFO/NFC                                           that occurred with the move to the\n        operations           management directives also define                                      interim computing facility or\n        during               standards, procedures, and                                             tested recovery of operations at\n        emergencies or       responsibilities for preparation,                                      the new recovery operations\n        disasters. This      implementation, and maintenance of                                     center. OCFO/NFC officials\n        control also         disaster recovery backup and restore                                   estimated that they would\n        includes the         jobs for the mainframe environment                                     complete the disaster recovery\n        backup               that require daily backups and storage                                 procedure update by September\n        capability           at an offsite location.                                                30, 2006, after performing a\n        available for                                                                               limited test to validate the new\n        system recovery;     The OCFO/NFC Information                                               recovery site set up and\n                             Security Program also includes                                         equipment. OCFO/NFC officials\n     b. establishing an      procedures for detecting, reporting,                                   also told us they had scheduled\n        incident             and responding to security incidents.                                  another test for May 2007.\n        response             In this regard, the OCFO/NFC\n        capability to        computer incident handling guide\n        prepare for,         establishes policy, responsibilities,\n        recognize,           and procedures for addressing\n        report, and          computer security incidents.\n        respond to the\n        incident and         In addition, the OCFO/NFC\n        return the IT        management directive for sanitizing\n        system to            storage media containing sensitive\n        operational          data requires either degaussing or\n        status; and          shredding data storage media that will\n                             not be used again and either\n     c. controlling          degaussing or overwriting for data\n        access to and        storage media that will be transferred,\n        disposal of data     donated, stored, or reused.\n        media.\n\n\n\n\nUSDA/OIG-A/11401-24-FM                                                                                                     Page 33\n\x0c'